1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
| ===========================================================================================
手动注册是由Agent端先发起证书申请请求,然后由Puppetserver端确认,方可注册成功,这种注册方式安全系数中等,逐一注册(puppet cert --sign certnmame)在节点数量较大的情况下是比较麻烦的,效率也低,批量注册(puppet cert --sign --all)效率很高,一次性便可注册所有的Agent的请求,但是这种方式安全系数较低,因为错误的请求也会被注册上。
环境
master:192.168.1.70
agent1:192.168.1.71
agent2:192.168.1.72
===========================================================================================
------------
master
------------
[root@puppet ~]# hostnamectl set-hostname master.ruopu.com
[root@master ~]# vim /etc/hosts
192.168.1.70 master.ruopu.com
192.168.1.71 node1.ruopu.com
192.168.1.72 node2.ruopu.com
[root@master ~]# rsync -e ssh -arvz --progress /etc/hosts 192.168.1.71:/etc
[root@master ~]# rsync -e ssh -arvz --progress /etc/hosts 192.168.1.72:/etc
# 主机名的修改非常重要,必须做。让三台主机可以互相解析
[root@puppet ~]# yum install -y puppt puppet-server facter tree
[root@puppet ~]# vim /etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet # 默认日志存放路径
rundir = /var/run/puppet # pid存放路径
ssldir = $vardir/ssl # 证书存放目录,默认$vardir为/var/lib/puppet
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = master.ruopu.com # 设置agent认证连接master端的服务器名称,注意这个名字必须能够被节点解析
certname = master.ruopu.com # 设置agent端certname名称
[master]
certname = master.ruopu.com # 设置puppetmaster认证服务器名
[root@puppet ~]# touch /etc/puppet/manifests/site.pp
[root@puppet ~]# systemctl start puppetmaster
# 启动服务端,自动生成CA证书,并签署。
[root@master ~]# ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:8140 *:*
# 监听在8140端口
[root@puppet ~]# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
├── ca
│ ├── ca_crl.pem
│ ├── ca_crt.pem
│ ├── ca_key.pem
│ ├── ca_pub.pem
│ ├── inventory.txt
│ ├── private
│ │ └── ca.pass
│ ├── requests
│ ├── serial
│ └── signed
│ └── master.ruopu.com.pem
# 可以看到,signed中已经有服务端了,证明服务器已被认证
[root@puppet ~]# puppet cert --list --all
+ "master.ruopu.com" (SHA256) B5:A8:47:D4:FE:4E:FE:AC:5E:48:A2:C0:CF:7E:CB:1D:B9:03:26:8F:1F:66:6B:9A:29:E3:C7:39:E0:5E:D6:E0 (alt names: "DNS:master.ruopu.com", "DNS:puppet", "DNS:puppet.ruopu.com")
# 有加号的证明是已被认证的主机
[root@puppet ~]# tail -f /var/log/puppet/masterhttp.log
# 监听日志
---------------
agent1&2
---------------
[root@puppettest1 ~]# hostnamectl set-hostname node1.ruopu.com
[root@puppettest1 ~]# yum install -y puppet facter
[root@node1 ~]# vim /etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = master.ruopu.com # 指向puppetmaster端
certname = node1.ruopu.com # 设置自己的certname名
listen = true # 让puppet监听8139端口
[root@node1 ~]# vim /etc/puppet/auth.conf
path /run
method save
auth any
allow master.ruopu.com
# 在文件尾部path /的上方加入上面内容
[root@puppettest1 ~]# systemctl start puppetagent
# 启动客户端
------------
master
------------
[root@master ~]# puppet cert --list --all
"node1.ruopu.com" (SHA256) F8:DF:B8:26:AE:92:5D:26:96:D9:21:AE:92:3F:84:40:6F:65:3F:B5:D0:C7:27:AC:12:44:E3:87:09:6B:19:0D
+ "master.ruopu.com" (SHA256) B5:A8:47:D4:FE:4E:FE:AC:5E:48:A2:C0:CF:7E:CB:1D:B9:03:26:8F:1F:66:6B:9A:29:E3:C7:39:E0:5E:D6:E0 (alt names: "DNS:master.ruopu.com", "DNS:puppet", "DNS:puppet.ruopu.com")
# 这时可以看到客户端的请求,没有加号
[root@master ~]# puppet cert --sign --all
Notice: Signed certificate request for node1.ruopu.com
Notice: Removing file Puppet::SSL::CertificateRequest node1.ruopu.com at '/var/lib/puppet/ssl/ca/requests/node1.ruopu.com.pem'
# 签署请求
[root@master ~]# puppet cert --list --all
+ "master.ruopu.com" (SHA256) B5:A8:47:D4:FE:4E:FE:AC:5E:48:A2:C0:CF:7E:CB:1D:B9:03:26:8F:1F:66:6B:9A:29:E3:C7:39:E0:5E:D6:E0 (alt names: "DNS:master.ruopu.com", "DNS:puppet", "DNS:puppet.ruopu.com")
+ "node1.ruopu.com" (SHA256) DC:8F:2C:D6:0C:97:6B:F7:1B:A6:48:55:E9:D9:3A:AA:C7:C5:C2:89:86:0E:45:C8:22:68:4B:B7:39:4B:B9:D3
# 已被认证
---------------
agent1&2
---------------
[root@node1 ~]# ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:8139 *:*
# 这时可以看到客户端监听在8139端口了,在认证后需要等待一会儿才会监听地址。
------------
master
------------
[root@master ~]# puppet kick --all
Warning: Puppet kick is deprecated. See http://links.puppetlabs.com/puppet-kick-deprecation
Warning: Failed to load ruby LDAP library. LDAP functionality will not be available
Finished
# 测试推送是否成功
[root@master ~]# cd /etc/puppet/modules/
[root@master modules]# mkdir -pv {jdk8,tomcat,nginx}/{manifests,files,templates,lib,spec,tests}
[root@master modules]# yum install -y nginx tomcat java-1.8.0-openjdk-devel
[root@master modules]# vim /etc/nginx/nginx.conf
location / {
proxy_pass http://192.168.1.72:8080;
}
[root@master modules]# cp /etc/nginx/nginx.conf /etc/puppet/modules/nginx/files/
[root@master modules]# cp /etc/tomcat/server.xml /etc/puppet/modules/tomcat/files/
[root@master modules]# vim nginx/manifests/init.pp
class nginx {
package{'nginx':
name => 'nginx',
ensure => latest,
}
file{'nginx.conf':
path => '/etc/nginx/nginx.conf',
source => "puppet:///modules/nginx/nginx.conf",
}
service{'nginx':
ensure => running,
enable => true,
}
Package['nginx'] -> File['nginx.conf'] ~> Service['nginx']
}
[root@master modules]# vim tomcat/manifests/init.pp
class tomcat {
package{['tomcat','tomcat-webapps','tomcat-admin-webapps','tomcat-docs-we
bapp']: # 安装多个包要用这种定义方式
ensure => latest,
} ->
file{'server.xml':
path => '/etc/tomcat/server.xml',
source => 'puppet:///modules/tomcat/server.xml',
} ~>
service{'tomcat':
ensure => running,
enable => true,
}
}
[root@master modules]# vim jdk8/manifests/init.pp
class jdk8 {
package{'jdk8':
name => 'java-1.8.0-openjdk-devel',
ensure => latest,
}
file{'java.sh':
path => '/etc/profile.d/java.sh',
source => "puppet:///modules/jdk8/java.sh",
}
}
[root@master modules]# vim jdk8/files/java.sh
export JAVA_HOME=/usr
[root@master modules]# cd /etc/puppet/manifests/
[root@master manifests]# vim site.pp # 定义主机清单
node 'node1.test.com' {
include nginx
}
node 'node2.test.com' {
include jdk8
include tomcat
}
[root@master manifests]# puppet module list
/etc/puppet/modules
├── jdk8 (???)
├── nginx (???)
└── tomcat (???)
# 查看上面定义的三个模块tomcat、nginx、jdk8是否加载
[root@master modules]# puppet kick --all
Warning: Puppet kick is deprecated. See http://links.puppetlabs.com/puppet-kick-deprecation
Warning: Failed to load ruby LDAP library. LDAP functionality will not be available
Finished
# 提醒所有客户端进行同步,如果是单个主机,可以写为客户端的主机名,如node1.ruopu.com,不能写为node1,因为不是主机名,所以推送不过去。也可以写多个主机名,主机名之间用空格分隔。
# 这个推送的过程很慢,测试中一起推送非常慢,使用了单个主机的推送
-------------
agent1
-------------
[root@node1 ~]# rpm -q nginx
# 可以看到安装了nginx
[root@node1 ~]# ss -tln
# 服务也启动了
[root@node1 ~]# vim /etc/nginx/nginx.conf
# 配置文件也被修改了。
# 这个过程有些慢,需要在服务端推送后等一会儿才会生效。
===========================================================================================
客户端认证出现问题或推送失败的解决方法
------------
master
------------
[root@puppet ~]# puppet cert --clean node1.ruopu.com
# 服务端使用此命令将某个主机的认证清除
----------
agent
----------
[root@puppettest1 ~]# systemctl stop puppetagent
# 先停止服务
[root@puppettest1 ~]# rm -rf /var/lib/puppet/ssl/*
# 清除所有密钥
[root@puppettest1 ~]# systemctl start puppetagent
# 再启动
------------
master
------------
[root@puppet ~]# puppet cert --list --all
[root@puppet ~]# puppet cert --sign --all
# 签署认证
[root@puppet ~]# tail -f /var/log/puppet/masterhttp.log
# 查看日志
[root@puppet ~]# tree /var/lib/puppet/ssl/
# 查看认证
===========================================================================================
|